Suspicious Digital Signature Of AppX Package

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects execution of AppX packages with known suspicious or malicious signature

Event coverage

Provider	Event ID	Title
AppxPackagingOM	157	The app package signature was validated for core content of the app package published by subjectName.

Stages and Predicates

Stage 1: `selection`

subjectName: 'CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`subjectName`	eq	`CN=Foresee Consulting Inc., O=Foresee Consulting Inc., L=North York, S=Ontario, C=CA, SERIALNUMBER=1004913-1, OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization`

Suspicious Digital Signature Of AppX Package

Event coverage

Stages and Predicates

Stage 1: selection

Indicators

Stage 1: `selection`